I have this query, where I want to build a dataset from a variable and its 4 previous values. I can solve this like so: | makeresults
| eval id=split("a,b,c,d,e,f,g",",")
| eval a=split("1,...
See more...
I have this query, where I want to build a dataset from a variable and its 4 previous values. I can solve this like so: | makeresults
| eval id=split("a,b,c,d,e,f,g",",")
| eval a=split("1,2,3,4,5,6,7",",")
| eval temp=mvzip(id,a,"|")
| mvexpand temp
| rex field=temp "(?P<id>[^|]+)\|(?P<a>[^|]+)"
| fields - temp
| streamstats current=false last(a) AS a_lag1
| streamstats current=false last(a_lag1) AS a_lag2
| streamstats current=false last(a_lag2) AS a_lag3
| streamstats current=false last(a_lag3) AS a_lag4
| where isnotnull(a_lag4)
| table id a* However, if I want to extend this to say 100 previous values, this code would become convoluted and slow. I imagine there must be a better way to accomplish this goal, however my research has not produced any alternative. Any ideas are appreciated.